Principles of Information Security, Fourth Edition

Principles of Information Security, Fourth Edition
Chapter 11 Security and Personnel

Learning Objectives Upon completion of this material, you should be able to: Describe where and how the information security function is positioned within organizations Explain the issues and concerns related to staffing the information security function Enumerate the credentials that information security professionals can earn to gain recognition in the field Illustrate how an organization’s employment policies and practices can support the information security effort Upon completion of this chapter you should be able to: Understand where and how the information security function is positioned within organizations Understand the issues and concerns about staffing the information security function Know about the credentials professionals in the information security field can acquire Recognize how an organization’s employment policies and practices can support the information security effort Understand the special security precautions necessary for nonemployees Recognize the need for the separation of duties Understand the special requirements needed for the privacy of personnel data Principles of Information Security, Fourth Edition

Learning Objectives (cont’d.)
Identify the special security precautions that must be taken when using contract workers Explain the need for the separation of duties Describe the special requirements needed to ensure the privacy of personnel data Principles of Information Security, Fourth Edition

Introduction When implementing information security, there are many human resource issues that must be addressed Positioning and naming Staffing Evaluating impact of information security across every role in IT function Integrating solid information security concepts into personnel practices Employees often feel threatened when the information security program is being updated Introduction When implementing information security, there are many human resource issues that must be addressed. First, the entire organization must decide how to position and name the security function. Second, the communities of interest must plan for the proper staffing for the information security function. Third, the IT community of interest must understand the impact of information security across every role in the IT function and adjust job descriptions and documented practices accordingly. Finally, the general management community of interest must work with the information security professionals to integrate solid information security concepts into the personnel management practices of the organization. Understanding the impact of change to personnel management practices of the organization is important in the success of the implementation phase. Experience has shown that employees often feel threatened when an organization is creating or enhancing an overall information security program. Quelling the doubts and reassuring the employees is a fundamental part of the implementation process. It is important to supply adequate resources to gather and respond quickly to employee feedback. Principles of Information Security, Fourth Edition

Positioning and Staffing the Security Function
The security function can be placed within: IT function Physical security function Administrative services function Insurance and risk management function Legal department Organizations balance needs of enforcement with needs for education, training, awareness, and customer service Security Function within an Organization’s Structure In Charles Cresson Wood’s book, Information Security Roles and Responsibilities Made Easy the author indicates that the security function can be placed within the: IT function, as a peer of other functions (networks, applications development, and help desk) Physical security function, as a peer of physical security or protective services Administrative services function, as a peer of human resources or purchasing Insurance and risk management function Legal department The challenge is to design a reporting structure for the information security function that balances the competing needs of each of the communities of interest. Organizations find compromise by placing the information security function where it can best balance the needs of enforcement of organizational policy with the education, training, awareness, and customer service needed to make information security part of the organizational culture. Principles of Information Security, Fourth Edition

Staffing the Information Security Function
Selecting personnel is based on many criteria, including supply and demand Many professionals enter security market by gaining skills, experience, and credentials At present, information security industry is in a period of high demand Staffing the Security Function Selecting information security personnel is based on a number of criteria, including the principles of supply and demand. Many potential professionals seek to enter the security market by gaining the skills, experience, and credentials to qualify as a new supply. Until the new supply reaches the demand level, organizations must pay the higher costs associated with the current limited supply. Once the supply reaches a level at or above demand, the organizations hiring these skills become selective, and the cost they are willing to pay drops. At the present time the information security industry is in a period of high demand, with few qualified individuals available for organizations seeking their services. Principles of Information Security, Fourth Edition

Staffing the Information Security Function (cont’d.)
Qualifications and requirements The following factors must be addressed: General management should learn more about skills and qualifications for positions Upper management should learn about budgetary needs of information security function IT and general management must learn more about level of influence and prestige the information security function should be given to be effective Organizations typically look for technically qualified information security generalist Qualifications and Requirements There are a number of factors that influence an organization’s hiring decisions. In many organizations, information security teams lack established roles and responsibilities. For the information security discipline to move forward, these factors must be addressed: Management should learn more about position requirements and qualifications for both information security positions and IT positions that impact infosec. Upper management should also learn more about the budgetary needs of the infosec function. IT and management need to learn more about the level of influence and prestige the information security function should be given in order to be effective. In most cases, organizations look for a technically qualified information security generalist, with a solid understanding of how an organization operates. In many other career fields, the more specialized professionals become, the more marketable they are. But, in the information security discipline, overspecialization is often a risk. It is important to balance technical skills with general information security knowledge. Principles of Information Security, Fourth Edition

Qualifications and requirements (cont’d.) Organizations look for information security professionals who understand: How an organization operates at all levels Information security is usually a management problem, not a technical problem Strong communications and writing skills The role of policy in guiding security efforts Hiring Criteria When hiring InfoSec professionals, organizations frequently look for individuals who understand: How an organization operates at all levels Information security is usually a management problem and is seldom an exclusively technical problem People and have strong communications and writing skills The roles of policy and education and training The threats and attacks facing an organization How to protect the organization from attacks How business solutions can be applied to solve specific information security problems Many of the most common mainstream IT technologies as generalists The terminology of IT and information security Principles of Information Security, Fourth Edition

Qualifications and requirements (cont’d.) Organizations look for information security professionals who understand (cont’d.): Most mainstream IT technologies The terminology of IT and information security Threats facing an organization and how they can become attacks How to protect organization’s assets from information security attacks How business solutions can be applied to solve specific information security problems Principles of Information Security, Fourth Edition

Entry into the information security profession Many information security professionals enter the field through one of two career paths: Law enforcement and military Technical, working on security applications and processes Today, students select and tailor degree programs to prepare for work in information security Organizations can foster greater professionalism by matching candidates to clearly defined expectations and position descriptions Entry into the Security Profession Many information security professionals enter the field through one of two career paths: First, ex-law enforcement and military personnel move from their respective environments into the more business-oriented world of information security, and Second, technical professionals find themselves working on security applications and processes more often than on traditional IS tasks. Today, college graduates and upper division students are selecting and tailoring degree programs to prepare for work in the field of security. The current perception in InfoSec is that a security professional must first be a proven professional in another field of IT. IT professionals, however, who move into information security tend to focus on the technology to the exclusion of general information security issues. Organizations can foster greater professionalism in the information security discipline through clearly defined expectations and position descriptions. Principles of Information Security, Fourth Edition

Figure 11-1 Career Paths to Information Security Positions
Principles of Information Security, Fourth Edition

Information security positions Use of standard job descriptions can increase degree of professionalism and improve the consistency of roles and responsibilities between organizations Charles Cresson Wood’s book, Information Security Roles and Responsibilities Made Easy: offers set of model job descriptions Information Security Positions The use of standard job descriptions can increase the degree of professionalism in the information security field as well as improve the consistency of roles and responsibilities between organizations. Organizations that are revising the roles and responsibilities of InfoSec staff can consult references like Wood’s book Information Security Roles and Responsibilities Made Easy, or Schwartz, et al’s report “InfoSec Staffing Help Wanted”. Principles of Information Security, Fourth Edition

Figure 11-2 Positions in Information Security

Chief Information Security Officer (CISO or CSO) Top information security position; frequently reports to Chief Information Officer (CIO) Manages the overall information security program Drafts or approves information security policies Works with the CIO on strategic plans Chief Information Security Officer This position is typically considered the top information security officer in the organization. The CISO is usually not an executive-level position and frequently reports to the Chief Information Officer. Though CISOs are business managers first and technologists second, they must also be conversant in all areas of security, including technical, planning, and policy. The CISO performs the following functions: Manages the overall InfoSec program Drafts or approves information security policies Works with the CIO on strategic plans, develops tactical plans, and works with security managers on operational plans Develops InfoSec budgets based on funding Sets priorities for the purchase and implementation of InfoSec projects & technology Makes decisions or recommendations on the recruiting, hiring, and firing of security staff Acts as the spokesperson for the security team Qualifications and Position Requirements The most common qualification expected for this type of position is the Certified Information Systems Security Professional. A graduate degree in one of the following areas is also probably required: criminal justice, business, technology, or other related fields. To qualify for this level position, the candidate demonstrates experience as a security manager and presents experience with planning, policy, and budgets. Principles of Information Security, Fourth Edition

Chief Information Security Officer (CISO or CSO) (cont’d.) Develops information security budgets Sets priorities for information security projects and technology Makes recruiting, hiring, and firing decisions or recommendations Acts as spokesperson for information security team Typical qualifications: accreditation, graduate degree, experience Principles of Information Security, Fourth Edition

Security manager Accountable for day-to-day operation of information security program Accomplish objectives as identified by CISO Typical qualifications: not uncommon to have accreditation; ability to draft middle- and lower-level policies; standards and guidelines; budgeting, project management, and hiring and firing; manage technicians Security Manager Security managers are accountable for the day-to-day operation of the information security program. They accomplish objectives as identified by the CISO and resolve issues identified by technicians. Within the information security community, there may be team leaders or project managers who are responsible for certain management-like functions, such as scheduling, setting relative priorities, or administering any number of procedural tasks, but are not necessarily held accountable for making a particular technology function. Qualifications and Position Requirements It is not uncommon for a candidate for this position to have a CISSP. Traditionally, managers earned the CISSP while technical professionals earned the Global Information Assurance Certification. Security managers must have the ability to draft middle- and lower-level policies as well as standards and guidelines. They must have experience in traditional business matters: budgeting, project management, and hiring and firing. They must also be able to manage technicians, both in the assignment of tasks and the monitoring of activities. Principles of Information Security, Fourth Edition

Security technician Technically qualified individuals tasked to configure security hardware and software Tend to be specialized Typical qualifications: Varied; organizations prefer expert, certified, proficient technician Some experience with a particular hardware and software package Actual experience in using a technology usually required Security Technician Security technicians are the technically qualified individuals tasked to configure security hardware and software and coordinate with administrators to ensure security is properly implemented. A security technician is the ideal entry-level position; however, some technical skills are usually required. Just as in networking, security technicians tend to be specialized, focusing on one major security technology group, and further specializing in one software or hardware package within the group. If a security technician wants to move up, he or she must gain an understanding of the general, organizational issues of InfoSec as well. Qualifications and Position Requirements. The technical qualifications and position requirements for a security technician are varied. Organizations prefer the expert, certified, proficient technician. Regardless of the area, the particular job description covers some level of experience with a particular hardware and software package. Sometimes familiarity with a technology secures an applicant an interview; however, experience in using the technology is usually required. Principles of Information Security, Fourth Edition

Credentials of Information Security Professionals
Many organizations seek recognizable certifications Most existing certifications are relatively new and not fully understood by hiring organizations Credentials of Information Security Professionals Many organizations seek recognizable certifications to indicate the level of proficiency associated with the various security positions. Most existing certifications are relatively new and not fully understood by hiring organizations. The certifying bodies work hard to educate the general public on the value and qualifications of their certificate recipients. Employers are trying to understand the match between certifications and the position requirements, and the candidates are trying to gain meaningful employment based on their newly received certifications. CISSP and SSCP Considered the most prestigious certification for security managers and CISOs, the CISSP is one of two certifications offered by the International Information Systems Security Certification Consortium. The SSCP is the other. In order to sit for the CISSP exam, the candidate must possess at least three years of direct full-time security professional work in one or more of 10 domains of information security knowledge: Access control systems and methodology, applications and systems development, business continuity planning, cryptography, law, investigation, and ethics, operations security, physical security, security architecture and models, security management practices, and telecommunications, network and internet security Once a candidate receives the CISSP, he or she must earn a specific number of continuing education credits every three years to retain the certification. Like the CISSP, the SSCP certification is more applicable to the security manager than the technician, because most questions focus on the operational nature of InfoSec. The SSCP focuses “on practices, roles and responsibilities as defined by experts from major IS industries.” The SSCP covers seven domains: access controls, administration, audit and monitoring, risk, response, and recovery, cryptography, data communications, malicious code and malware. Global Information Assurance Certification SANS developed a series of technical security certifications in 1999, known as the GIAC. At the time, there were no technical certifications. The GIAC family of certifications can be pursued independently or combined to earn the comprehensive certification, GIAC Security Engineer (GSE). Like the SSCP, the GIAC Information Security Officer (GISO) is an overview certification that combines basic technical knowledge with understanding of threats, risks, and best practices. Unlike other certifications, GIAC certifications require the applicant to first complete a written practical assignment before being allowed to take the exam. GIAC certifications include: GIAC Security Essentials Certification (GSEC) GIAC Certified Firewall Analyst (GCFW) GIAC Certified Intrusion Analyst (GCIA) GIAC Certified Incident Handler (GCIH) GIAC Certified Windows Security Administrator (GCWN) GIAC Certified UNIX Security Administrator (GCUX) GIAC Information Security Officer - Basic (GISO - Basic) GIAC Systems and Network Auditor (GSNA) GIAC Certified Forensic Analyst (GCFA) GIAC Security Leadership Certificate (GSLC) To obtain the GIAC Certified Engineer, which is considered the pinnacle of GIAC certifications, candidates must earn all of the above certifications and receive honors recognition in at least one, before they are even allowed to sit for the final certification. GIAC is designed not only to test knowledge of a field, but also to require application of that knowledge through the practicum. While there are a growing number of entry-level certifications, GIAC currently offers the only advanced technical certifications. Security Certified Professional One of the newest certifications in information security, the SCP certification provides two tracks: the Security Certified Network Professional and the Security Certified Network Architect. The SCNP track focuses on firewalls and intrusion detection, and requires two exams: Network Security Fundamentals (NSF) and Network Defense and Countermeasures (NDC). The SCNA program focuses more on authentication, including biometrics and PKI: PKI and Biometrics Concepts and Planning (PBC) PKI and Biometrics Implementation (PBI) T.I.C.S.A. and T.I.C.S.E. The TruSecure ICSA certifications are among the first vendor-sponsored certifications that focus on providing certifications that are skills- and knowledge-based, technology specific, and pragmatic. A candidate must demonstrate appropriate experience and training before being allowed to sit for the examinations. The T.I.C.S.A. certification is highly technical and is targeted towards network and systems administrators. The examination is also based on the following TruSecure six categories of risk: Electronic: External and internal, hacking and sniffing, spoofing Malicious code: Viruses and worms, Java and ActiveX, Trojans Physical: Theft and terminal hijack Human: Social engineering Privacy Downtime: DoS attacks, bugs, power, civil unrest, natural disasters Security+ CompTIA ( is in the process of defining the body of knowledge necessary for their next certification. The Security + certification will probably be similar to the Network + certification and to many others in its focus on key skills necessary to perform security, without being tied to a particular software or hardware vendor package. Certified Information Systems Auditor The CISA certification contains many information security components. The Information Systems Audit and Control Association promotes the certification for auditing, networking, and security professionals. Many of the CISA certifications have requirements common to other security certifications including: Successful completion of the CISA examination Experience as an information systems auditor Agreement to the Code of Professional Ethics and the Information Systems Auditing Standards Continuing education The exam covers the following areas of information systems auditing: The IS audit process (10 percent) Management, planning, and organization of IS (11 percent) Technical infrastructure and operational practices (13 percent) Protection of information assets (25 percent) Disaster recovery and business continuity (10 percent) Business application system development, acquisition, implementation, and maintenance (16 percent) Business process evaluation and risk management (15 percent) The exam is only offered once a year, so advanced planning is a must. Certified Information Systems Forensics Investigator The Information Security Forensics Association is developing an examination for a certified information systems forensics investigator, which evaluates tasks and responsibilities dealing with incident response, working with law enforcement, and auditing incidences. Although the certification exam has not been fully developed, the common body of knowledge has been tentatively defined to include: Countermeasures Auditing Incident response teams Law enforcement and investigation Traceback Principles of Information Security, Fourth Edition

Certifications (ISC)2 Certifications ISACA Certifications
Certified Information Systems Security Professional (CISSP) Systems Security Certified Practitioner (SSCP) Associate of (ISC)2 Certification and Accreditation Professional (CAP) ISACA Certifications Certified Information Systems Auditor (CISA) Certified Information Security Manager (CISM) Principles of Information Security, Fourth Edition

Certifications (cont’d.)
SANS Global Information Assurance Certification (GIAC) Security Certified Program (SCP) CompTIA’s Security+ Certified Computer Examiner (CCE) Related Certifications Prosoft RSA Security CheckPoint Cisco Principles of Information Security, Fourth Edition

Certification Costs Better certifications can be very expensive
Even experienced professionals find it difficult to take an exam without some preparation Many candidates teach themselves through trade press books; others prefer structure of formal training Before attempting a certification exam, do all homework and review exam criteria, its purpose, and requirements in order to ensure that the time and energy spent pursuing certification are well spent Cost of Being Certified Certifications cost money, and the better certifications can be quite expensive. The cost for formal training to prepare for the certification can also be significant. While you should not attempt to earn a certification without professional experience, these courses can help candidates round out their knowledge and fill in gaps. Even an experienced professional would find it difficult to sit for one of these exams without some preparation. Many candidates teach themselves through trade press books. Others prefer the structure of formal training, because it includes practicing the technical components on equipment the candidate may not be able to access. Before attempting a certification exam, do your homework. Look at the exam criteria, its purpose, and requirements in order to ensure that the time and energy spent pursuing the certification are well spent. Principles of Information Security, Fourth Edition

Figure 11-3 Preparing for Security Certification

Advice for Information Security Professionals
Always remember: business before technology Technology provides elegant solutions for some problems, but adds to difficulties for others Never lose sight of goal: protection Be heard and not seen Know more than you say; be more skillful than you let on Speak to users, not at them Your education is never complete Advice for Information Security Professionals As a future information security professional, you can benefit from suggestions on entering information security job market. Always remember: business first, technology last. It’s all about the information. Be heard and not seen. Know more than you say; be more skillful than you let on. Speak to users, not at them. Your education is never complete. Principles of Information Security, Fourth Edition

Employment Policies and Practices
Management community of interest should integrate solid information security concepts into organization’s employment policies and practices Organization should make information security a documented part of every employee’s job description Employment Policies and Practices The general management community of interest should integrate solid information security concepts into the organization’s employment policies and practices. If the organization can include security as a documented part of every employee’s job description, then perhaps information security will be taken more seriously. Principles of Information Security, Fourth Edition

Employment Policies and Practices (cont’d.)
From information security perspective, hiring of employees is a responsibility laden with potential security pitfalls CISO and information security manager should provide human resources with information security input to personnel hiring guidelines Hiring and Termination Issues From an information security perspective, the hiring of employees is a responsibility laden with potential security pitfalls. The CISO and information security manager should establish a dialogue with the Human Resources department to provide an information security viewpoint for hiring personnel. Principles of Information Security, Fourth Edition

Figure 11-4 Hiring Issues Principles of Information Security, Fourth Edition

Job Descriptions Integrating information security perspectives into hiring process begins with reviewing and updating all job descriptions Organization should avoid revealing access privileges to prospective employees when advertising open positions Job Descriptions Inserting information security perspectives into the hiring process begins with reviewing and updating all job descriptions. To prevent people from applying for positions based solely on access to sensitive information, the organization should avoid revealing access privileges to prospective employees when advertising positions. Principles of Information Security, Fourth Edition

Interviews An opening within the information security department creates a unique opportunity for the security manager to educate HR on certifications, experience, and qualifications of a good candidate Information security should advise HR to limit information provided to the candidate on the responsibilities and access rights the new hire would have For organizations that include on-site visits as part of interviews, it’s important to use caution when showing candidate around facility Interviews The next point of contact with a potential employee is the job interview. An opening within information security opens up a unique opportunity for the security manager to educate HR on the certifications, experience, and qualifications of a good candidate. For other areas, information security should advise HR to limit information provided to the candidate on the responsibilities and access rights the new hire would have. For those organizations that include on-site visits as part of interviews, it is important to use caution when showing a candidate around the facility. Principles of Information Security, Fourth Edition

Background Checks Investigation into a candidate’s past
Should be conducted before organization extends offer to candidate Background checks differ in level of detail and depth with which candidate is examined May include identity check, education and credential check, previous employment verification, references check, worker’s compensation history, motor vehicle records, drug history, credit history, and more Background Checks A background check is an investigation into the candidate’s past, specifically looking for criminal behavior that could indicate potential for future misconduct. There are a number of regulations that govern what the organization can investigate and how much of the information can influence the hiring decision, requiring the security and HR managers to discuss these matters with counsel. Background checks differ in the level of detail and depth with which the candidate is examined: Identity checks Education and credential checks Previous employment verification References checks Worker’s Compensation history Motor vehicle records Drug history Credit history Civil court history Criminal court history Principles of Information Security, Fourth Edition

Types of Background Checks
Identity checks: Validation of identity and Social Security number Education and credential checks: Validation of institutions attended, degrees and certifications earned, and certification status Previous employment verification: Validation of where candidates worked, why they left, what they did, and for how long Reference checks: Validation of references and integrity of reference sources Principles of Information Security, Fourth Edition

Types of Background Checks (cont’d.)
Worker’s compensation history: Investigation of claims from worker’s compensation Motor vehicle records: Investigation of driving records, suspensions, and DUIs Drug history: Screening for drugs and drug usage, past and present Credit history: Investigation of credit problems, financial problems, and bankruptcy Principles of Information Security, Fourth Edition

Types of Background Checks (cont’d.)
Civil court history: Investigation of involvement as the plaintiff or defendant in civil suits Criminal court history: Investigation of criminal background, arrests, convictions, and time served Principles of Information Security, Fourth Edition

Employment Contracts Once a candidate has accepted the job offer, employment contract becomes important security instrument Many security policies require an employee to agree in writing New employees may find policies classified as “employment contingent upon agreement,” whereby employee is not offered the position unless binding organizational policies are agreed to Employment Contracts Once a candidate has accepted the job offer, the employment contract becomes an important security instrument. Many policies require an employee to agree in writing. If an existing employee refuses to sign these contracts, the security personnel are placed in a difficult situation. New employees, however may find policies classified as “employment contingent upon agreement,” whereby the employee is not offered the position unless he agrees to the binding organizational policies. Principles of Information Security, Fourth Edition

New Hire Orientation New employees should receive extensive information security briefing on policies, procedures, and requirements for information security Levels of authorized access are outlined; training provided on secure use of information systems By the time employees start, they should be thoroughly briefed and ready to perform duties securely New Hire Orientation As new employees are introduced into the organization’s culture and workflow, they should receive an extensive information security briefing on all major policies, procedures, and requirements for information security within the new position. The levels of authorized access are outlined, and training is provided on the secure use of information systems. By the time employees are ready to report to their positions, they should be thoroughly briefed and ready to perform their duties securely. Principles of Information Security, Fourth Edition

On-the-Job Security Training
Organization should conduct periodic security awareness training Keeping security at the forefront of employees’ minds and minimizing employee mistakes is an important part of information security awareness mission External and internal seminars also increase level of security awareness for all employees, particularly security employees On-the-Job Security Training As part of the new hire’s ongoing job orientation, and as part of every employee’s security responsibilities, the organization should conduct periodic security awareness and training. Keeping security at the forefront of employees’ minds and minimizing employee mistakes is an important part of the information security mission. Formal external and informal internal seminars also increase the level of security awareness for all employees, especially security employees. Principles of Information Security, Fourth Edition

Evaluating Performance
Organizations should incorporate information security components into employee performance evaluations Employees pay close attention to job performance evaluations If evaluations include information security tasks, employees are more motivated to perform these tasks at a satisfactory level Performance Evaluation To heighten information security awareness and change workplace behavior, organizations should incorporate information security components into employee performance evaluations. Employees pay close attention to job performance evaluations, and if the evaluations include information security tasks, employees are more motivated to perform these tasks at a satisfactory level. Principles of Information Security, Fourth Edition

Termination When employee leaves organization, there are a number of security-related issues Key is protection of all information to which employee had access Once cleared, the former employee should be escorted from premises Many organizations use an exit interview to remind former employee of contractual obligations and to obtain feedback Termination When an employee leaves an organization, there are a number of security-related issues. Key among these is the continuity of protection of all information to which the employee had access. When an employee prepares to leave, the following tasks must be performed: Access to the organization’s systems disabled Removable media returned Hard drives secured File cabinet locks changed Office door lock changed Keycard access revoked Personal effects removed from the organization’s premises Once the employee has delivered keys, keycards, and other business property, he or she should be escorted from the premises. In addition to the tasks listed above, many organizations use an exit interview to remind the employee of contractual obligations, such as nondisclosure agreements, and to obtain feedback on the employee’s tenure in the organization. At this time, the employee should be reminded that should he or she fail to comply with contractual obligations, civil or criminal action may result. From a security standpoint, security cannot risk the exposure of organizational information. The simplest and best method to handle the outprocessing of an employee is to select one of the scenarios that follows, based on the employee’s reasons for leaving. Principles of Information Security, Fourth Edition

Termination (cont’d.) Hostile departures include termination for cause, permanent downsizing, temporary lay-off, or some instances of quitting Before employee is aware, all logical and keycard access is terminated Employee collects all belongings and surrenders all keys, keycards, and other company property Employee is then escorted out of the building Hostile Departure Hostile departure (involuntary) results from termination, downsizing, lay-off, or quitting. Before the employee knows he or she is leaving, security terminates all logical and keycard access. As soon as the employee reports for work, he or she is escorted into his supervisor’s office for the news. Upon receiving notice, he or she is escorted to his area and allowed to collect personal effects. No organizational property is taken from the premises. Employee is asked to surrender all keys, keycards, and other company property. He or she is then escorted out of the building. Principles of Information Security, Fourth Edition

Termination (cont’d.) Friendly departures include resignation, retirement, promotion, or relocation Employee may be notified well in advance of departure date More difficult for security to maintain positive control over employee’s access and information usage Employee access usually continues with new expiration date Employees come and go at will, collect their own belongings, and leave on their own Friendly Departure Friendly departure (voluntary) results from retirement, promotion, or relocation. In this case, the employee may have tendered notice well in advance of the actual departure date. This actually makes it more difficult for security to maintain positive control over the employee’s access and information usage. Employee accounts are usually allowed to continue with a new expiration date. Employees come and go at will, collect their own belongings, and leave on their own. They are asked to drop off all organizational property “on their way out the door.” Principles of Information Security, Fourth Edition

Termination (cont’d.) Offices and information used by the employee must be inventoried; files stored or destroyed; and property returned to organizational stores Possible that employees foresee departure well in advance and begin collecting organizational information for their future employment Only by scrutinizing systems logs after employee has departed can organization determine if there has been a breach of policy or a loss of information If information has been copied or stolen, report an incident and follow the appropriate policy Termination In either circumstance, the offices and information used by the employee must be inventoried, his or her files stored or destroyed, and all property returned to organizational stores. It is possible in either situation that the employees foresee departure well in advance and begin collecting organizational information or anything that could be valuable in their future employment. Only by scrutinizing systems logs after the employee has departed and sorting out authorized actions from systems misuse or information theft can the organization determine if there has been a breach of policy or a loss of information. In the event that information is illegally copied or stolen, the action should be declared an incident and the appropriate policy followed. Principles of Information Security, Fourth Edition

Security Considerations for Nonemployees
Individuals not subject to screening, contractual obligations, and eventual secured termination often have access to sensitive organizational information Relationships with these individuals should be carefully managed to prevent possible information leak or theft Security Considerations for Nonemployees A number of individuals who are not subject to rigorous screening, contractual obligations, and eventual secured termination often have access to sensitive organizational information. Relationships with individuals in this category should be carefully managed to prevent a possible information leak or theft. Principles of Information Security, Fourth Edition

Temporary Employees Hired by organization to serve in temporary position or to supplement existing workforce Often not subject to contractual obligations or general policies; if temporary employees breach a policy or cause a problem, possible actions are limited Access to information for temporary employees should be limited to that necessary to perform duties Temporary employee’s supervisor must restrict the information to which access is possible Temporary Employees Temporary employees are hired by the organization to serve in a temporary position or to supplement the existing workforce. These employees may be the paid employees of a “temp agency” or similar organization. As they are not employed by the host organization, they are often not subject to the contractual obligations or general policies of other employees. If these individuals breach a policy or cause a problem, the strongest action the host organization can take is to terminate the relationships with the individuals and request that they be censured. From a security standpoint, access to information for these individuals should be limited to that necessary to perform their duties. The organization can attempt to have temporary employees sign nondisclosure agreements and fair use policies, but they may refuse, forcing the organization to either dismiss the temp worker or allow him to work without the agreement. Ensure that the temp’s supervisor restricts the information to which he has access and makes sure all employees follow good security practices, especially clean desk policies and the security of classified data. Principles of Information Security, Fourth Edition

Contract Employees Typically hired to perform specific services for organization Host company often makes contract with parent organization rather than with individual for a particular task In secure facility, all contract employees escorted from room to room, as well as into and out of facility There is need for restrictions or requirements to be negotiated into contract agreements when they are activated Contract Employees Contract employees are typically hired to perform specific services for the organization. The host company often makes a contract with a parent organization rather than with an individual for a particular task. Although some individuals may require access to virtually all areas of the organization to do their jobs, they seldom need access to information or information resources. Contract employees may need access to various facilities; however, this does not mean they should be allowed to wander freely in and out of buildings. In a secure facility, all contract employees are escorted from room to room, as well as into and out of the facility. There is also the need for certain restrictions or requirements to be negotiated into the contract agreements when they are activated. Principles of Information Security, Fourth Edition

Consultants Should be handled like contract employees, with special requirements for information or facility access integrated into contract Security and technology consultants must be prescreened, escorted, and subjected to nondisclosure agreements to protect organization Just because security consultant is paid doesn’t make the protection of organization’s information the consultant’s number one priority Consultants Consultants should be handled like contract employees, with special requirements for information or facility access requirements integrated into the contract before these individual are allowed outside the conference room. Security and technology consultants especially must be prescreened, escorted, and subjected to nondisclosure agreements to protect the organization from possible intentional or accidental breaches of confidentiality. Just because you pay a security consultant, doesn’t make the protection of your information his or her number one priority. Principles of Information Security, Fourth Edition

Business Partners Businesses find themselves in strategic alliances with other organizations, desiring to exchange information or integrate systems There must be meticulous, deliberate process of determining what information is to be exchanged, in what format, and to whom Nondisclosure agreements and the level of security of both systems must be examined before any physical integration takes place Business Partners On occasion, businesses find themselves in strategic alliances with other organizations, desiring to exchange information, integrate systems, or simply to discuss operations for mutual advantage. There must be a meticulous, deliberate process of determining what information is to be exchanged, in what format, and to whom. Nondisclosure agreements abound, and the level of security of both systems must be examined before any physical integration takes place, as system connection means that the vulnerability of one system is the vulnerability of all. Principles of Information Security, Fourth Edition

Internal Control Strategies
Cornerstone in protection of information assets and against financial loss Separation of duties: control used to reduce chance of individual violating information security; stipulates that completion of significant task requires at least two people Collusion: unscrupulous workers conspiring to commit unauthorized task Separation of Duties and Collusion Separation of duties is a cornerstone in the protection of information assets and in preventing loss. The completion of a significant task that involves sensitive information should require two people. If one person has the authorization to access a particular set of information, there may be nothing to prevent this individual from copying it and removing it from the premises. The check and balance method requires two or more people to conspire to commit an incident, which is known as collusion. The odds that two people are willing and able to misuse or abuse the system are much lower than one. Related to the concept of separation of duties is that of two-man control, the requirement that two individuals review and approve each other’s work before the task is categorized as finished. This is distinct from separation of duties, in which the two work in sequence. In two-man control, each person completely finishes the necessary work, and then submits it to the coworker. Each coworker examines the work performed, double-checking the actions performed and making sure no errors or inconsistencies exist. Another control used to prevent personnel from misusing information assets is job rotation or task rotation, the requirement that every employee be able to perform the work of another employee. Ensuring that all critical tasks have multiple individuals capable of performing the tasks can greatly increase the chance that one employee could detect misuse of the system or abuse of the information of another. A mandatory vacation, of at least one week, provides the ability to audit the work of an individual. Individuals who are stealing or misusing information or systems are reluctant to take vacations, for fear that their actions are detected. Employees should be provided access to the minimal amount of information for the minimal amount of time necessary for them to perform their duties. Similar to the concept of need-to-know, least privilege ensures that no unnecessary access to data occurs, and that only those individuals who must access the data do so. The whole purpose of information security is to allow those people with a need to use information to do so without concern for the loss of confidentiality, integrity, and availability. Everyone who can access data probably will, resulting in numerous potential losses. Principles of Information Security, Fourth Edition

Internal Control Strategies (cont’d.)
Two-man control: two individuals review and approve each other’s work before the task is categorized as finished Job rotation: employees know each others’ job skills Least privilege: ensures that no unnecessary access to data exists and that only those individuals who must access the data do so Principles of Information Security, Fourth Edition

Figure 11-6 Internal Control Strategies

Privacy and the Security of Personnel Data
Organizations required by law to protect sensitive or personal employee information Includes employee addresses, phone numbers, Social Security numbers, medical conditions, and family names and addresses This responsibility also extends to customers, patients, and business relationships Privacy and the Security of Personnel Data Another personnel and security topic is the security of personnel and personal data. Organizations are required by law to protect employee information that is sensitive or personal. This includes employee addresses, phone numbers, Social Security numbers, medical conditions, and even names and addresses of family and relatives. This responsibility also extends to customers, patients, and business relationships. Principles of Information Security, Fourth Edition

Summary Positioning the information security function within organizations Issues and concerns about staffing information security Professional credentials of information security professionals Organizational employment policies and practices related to successful information security Principles of Information Security, Fourth Edition

Summary (cont’d.) Special security precautions for nonemployees
Separation of duties Special requirements needed for the privacy of personnel data Principles of Information Security, Fourth Edition

Principles of Information Security, Fourth Edition

Similar presentations

Presentation on theme: "Principles of Information Security, Fourth Edition"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Principles of Information Security, Fourth Edition

Similar presentations

Presentation on theme: "Principles of Information Security, Fourth Edition"— Presentation transcript:

Similar presentations

About project

Feedback